test: required status checks on main for release workflow (#52)

Currently semantic-release runs on pushes to main to bump the release
version and update the CHANGELOG. It uses the 3ware-release app for
authentication - which is permitted to bypass pull requests. However,
due to the required status checks assigned to main branch's protection
rule, the app requires Administrator permissions to bypass the checks.

There are number of long running discussions requesting a *skip checks*
feature for this type of workflow:

community/community#13836

GitHub's documentation does provide a solution for **Handling Skipped
But Required Checks**:
https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks

> You can fix this by creating a generic workflow, with the same name,
that will return true in any case similar to the workflow below

This pull request removes the `[skip ci]` syntax from semantic-releases
commit message.

Generic workflows for the pull request title validation and lint workflows have
also been added - as suggested in GitHub's docs.

Admin permissions will be removed from the application for testing the
new workflow.

.cspell.json

@@ -6,9 +6,12 @@
   "language": "en-GB",
   // words - list of words to be always considered correct
   "words": [
+    "amannn",
+    "analyzer",
     "aquasecurity",
     "codeql",
     "conventionalcommits",
+    "cycjimmy",
     "linters",
     "markdownlint",
     "noreply",

.github/dependabot.yml

@@ -5,7 +5,7 @@
 
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly

.github/workflows/dependency-review.yml

@@ -4,7 +4,7 @@
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
-name: "Dependency Review"
+name: Dependency Review
 on: [pull_request]
 
 permissions:
@@ -14,7 +14,7 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: "Checkout Repository"
+      - name: Checkout Repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-      - name: "Dependency Review"
+      - name: Dependency Review
         uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

.github/workflows/get-terraform-dir.yaml

@@ -1,9 +1,9 @@
-name: "Terraform directory"
+name: Terraform directory
 on:
   workflow_call:
     outputs:
       terraform-dir:
-        description: "The terraform directory to initialise"
+        description: The terraform directory to initialise
         value: ${{ jobs.terraform-directory.outputs.dir }}
 
 # Declare default permissions as read only.
@@ -19,23 +19,23 @@ jobs:
     outputs:
       dir: ${{ steps.changed-dir.outputs.all_changed_files }}
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Get changed files"
+      - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6
 
-      - name: "List all changed files"
+      - name: List all changed files
         run: |
           for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
       # Find the directory where files have been changed.
-      - name: "Get terraform directory"
+      - name: Get terraform directory
         id: changed-dir
         uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6
         # Step fails if nothing found.
@@ -47,7 +47,7 @@ jobs:
           dir_names: true
           dir_names_exclude_root: true
 
-      - name: "List terraform directory"
+      - name: List terraform directory
         if: ${{ steps.changed-dir.conclusion == 'success'}}
         run: |
           echo "${{ steps.changed-dir.outputs.all_changed_files }}"

.github/workflows/get-workflow-token.yaml

@@ -1,10 +1,10 @@
 # This workflow generates an installation access token for GitHub authentication
-name: "Generate workflow token"
+name: Generate workflow token
 on:
   workflow_call:
     outputs:
       temp-token:
-        description: "The temporary installation access token"
+        description: The temporary installation access token
         value: ${{ jobs.get-temp-token.outputs.token }}
 
 # Declare default permissions as read only.
@@ -17,15 +17,15 @@ jobs:
     outputs:
       token: ${{ steps.encrypt-token.outputs.encrypted-token }}
     steps:
-      - name: "Get GitHub authentication token"
+      - name: Get GitHub authentication token
         id: get-workflow-token
         uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
         with:
           application_id: ${{ secrets.THREEWARE_RELEASE_APPLICATION_ID }}
           application_private_key: ${{ secrets.THREEWARE_RELEASE_APPLICATION_PRIVATE_KEY }}
           organization: 3ware
 
-      - name: "Encrypt the token for reuse between jobs / workflows"
+      - name: Encrypt the token for reuse between jobs / workflows
         id: encrypt-token
         run: |
           ENCRYPTED_TOKEN=$(gpg --symmetric --batch --passphrase "$KEY" \

.github/workflows/lint.yaml

@@ -1,12 +1,8 @@
-name: "Lint"
+name: Lint
 on:
   pull_request:
-    types:
-      - opened
-      - edited
-      - synchronize
-    branches:
-      - main
+    types: [opened, synchronize]
+    branches: [main]
   workflow_call:
     inputs:
       terraform-version:
@@ -30,26 +26,26 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
-    needs: ["find-terraform"]
+    needs: [find-terraform]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Setup Terraform"
+      - name: Setup Terraform
         if: ${{ needs.find-terraform.outputs.terraform-dir != '' }}
         uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
         with:
           terraform_version: ${{ inputs.terraform-version }}
           cli_config_credentials_token: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
 
-      #Initialise terraform in the directory where terraform file have changed.
-      - name: "Initialise Terraform"
+      # Initialise terraform in the directory where terraform file have changed.
+      - name: Initialise Terraform
         if: ${{ needs.find-terraform.outputs.terraform-dir != ''}}
         working-directory: ${{ needs.find-terraform.outputs.terraform-dir }}
         run: terraform init
 
-      - name: "Lint with trunk"
-        if: ${{ always() }} #Run anyway, even if no terraform
+      - name: Lint with trunk
+        if: ${{ always() }} # Run anyway, even if no terraform
         uses: trunk-io/trunk-action@9cf65e08e822e9842fd9ef7ed2a2bd9092de0986 # v1.0.6

.github/workflows/pr-title.yaml

@@ -1,12 +1,9 @@
-name: "Validate PR title"
+name: Validate PR title
 
 on:
   pull_request_target:
-    types:
-      - opened
-      - edited
-      - synchronize
-  workflow_call:
+    types: [opened, edited]
+  workflow_call: {}
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -22,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: "Validate pull request title is conventional"
+      - name: Validate pull request title is conventional
         uses: amannn/action-semantic-pull-request@b6bca70dcd3e56e896605356ce09b76f7e1e0d39 # v5.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard.yml

@@ -2,24 +2,24 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
-name: "Scorecard supply-chain security"
+name: Scorecard supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   # branch_protection_rule:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: "27 7 * * 6"
+    - cron: 27 7 * * 6
   push:
-    branches: ["main"]
+    branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
-    name: "Scorecard analysis"
+    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -31,12 +31,12 @@ jobs:
       # actions: read
 
     steps:
-      - name: "Checkout code"
+      - name: Checkout code
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
           persist-credentials: false
 
-      - name: "Run analysis"
+      - name: Run analysis
         uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
         with:
           results_file: results.sarif
@@ -58,15 +58,15 @@ jobs:
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
-      - name: "Upload artifact"
+      - name: Upload artifact
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
+      - name: Upload to code-scanning
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
         with:
           sarif_file: results.sarif

.github/workflows/semantic-release.yaml

@@ -1,11 +1,10 @@
-name: "Semantic Release"
+name: Semantic Release
 
 on:
-  workflow_dispatch:
-  workflow_call:
+  workflow_dispatch: {}
+  workflow_call: {}
   push:
-    branches:
-      - main
+    branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -21,14 +20,14 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
-    needs: ["get-temp-token"]
+    needs: [get-temp-token]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Decrypt the installation access token"
+      - name: Decrypt the installation access token
         id: decrypt-token
         run: |
           DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \
@@ -39,7 +38,7 @@ jobs:
         env:
           KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }}
 
-      - name: "Create GitHub release and update CHANGELOG"
+      - name: Create GitHub release and update CHANGELOG
         if: ${{ ! env.ACT }}
         uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0
         with:
@@ -51,7 +50,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.decrypt-token.outputs.temp-token }}
 
-      - name: "Local test release"
+      - name: Local test release
         if: ${{ env.ACT }}
         uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0
         with:

.github/workflows/terraform-docs.yaml

@@ -1,6 +1,5 @@
-name: "Generate terraform docs"
-on:
-  workflow_call:
+name: Generate terraform docs
+on: workflow_call
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -28,15 +27,15 @@ jobs:
     env:
       WORKING_DIR: ${{ needs.find-terraform.outputs.terraform-dir }}
       TF_DOCS_FILE: README.md
-    needs: ["get-temp-token", "find-terraform"]
+    needs: [get-temp-token, find-terraform]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           persist-credentials: false
 
-      - name: "Decrypt the installation access token"
+      - name: Decrypt the installation access token
         id: decrypt-token
         run: |
           DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \
@@ -47,20 +46,20 @@ jobs:
         env:
           KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }}
 
-      - name: "Render terraform docs"
+      - name: Render terraform docs
         id: terraform-docs
         uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0
         with:
           working-dir: ${{ needs.find-terraform.outputs.terraform-dir }}
           output-file: ${{ env.TF_DOCS_FILE }}
           output-method: inject
 
-      - name: "Set file path env"
+      - name: Set file path env
         run: echo "FILE_PATH=${{ env.WORKING_DIR }}/${{ env.TF_DOCS_FILE }}" >> $GITHUB_ENV
 
       # Use the REST API to commit changes, so we get automatic commit signing
       # Only run this job if the file has changed to prevent empty commits
-      - name: "Push changes back to PR with signature"
+      - name: Push changes back to PR with signature
         id: push-with-sig
         if: ${{ steps.terraform-docs.outputs.num_changed != 0 }}
         env:
@@ -78,14 +77,14 @@ jobs:
             --field branch="$DESTINATION_BRANCH" \
             --field sha="$SHA"
 
-      - name: "Summary if skipped"
+      - name: Summary if skipped
         if: ${{ steps.push-with-sig.conclusion == 'skipped' }}
         run: |
           echo "### Push Skipped" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Changes were not made to ${{ env.FILE_PATH }} on this run" >> $GITHUB_STEP_SUMMARY
 
-      - name: "Summary if successful"
+      - name: Summary if successful
         if: ${{ steps.push-with-sig.conclusion == 'success' }}
         env:
           BRANCH: ${{ github.head_ref  }}